Opinion editor's note: Editorials represent the opinions of the Star Tribune Editorial Board, which operates independently from the newsroom.

•••

Unfortunately, hackers didn't need sophisticated skills to pull off one of the nation's most alarming and consequential health care ransomware attacks.

Instead, the cybercriminals who crippled a UnitedHealth Group subsidiary earlier this year took advantage of a basic and obvious security oversight, a revelation made public Wednesday at two congressional hearings.

The subsidiary is called Change Healthcare. It acts as the Visa/Mastercard payment system for wide swaths of health care and is entrusted with patient data. Disturbingly, it did not have multi-factor authentication (MFA) in place across all of its systems.

MFA requires users, such as employees, to have two or more credentials to log in. If one credential is stolen or compromised, it provides a second layer of security to prevent bad actors from accessing networks, databases or hardware. It's a standard at many companies protecting far less vital data.

Not having it, especially in health care, is a basic error, the equivalent of not having a deadbolt on the back door in a high-crime neighborhood. With ransomware attacks hard to trace and likely to continue, the nation's lawmakers urgently need to put in place stronger information security requirements to prevent other hackers from bringing much of health care to a standstill, as the Change Health attack did.

The work to do that commendably got underway this week in Congress. Two hearings, one in the Senate and one in the House, put a timely and necessary spotlight on the ransomware attack. Andrew Witty, CEO of Minnesota-based UnitedHealth Group, testified solo throughout Wednesday.

As these events go, the hearings were unusually productive, with informed questions asked and political grandstanding at a minimum. Clarity came on some key issues, such as: How did this happen? The unsatisfying answer: UnitedHealth had completed its acquisition of Change Health in October 2022. With the company came outdated security systems, though it seems like United should have had time to ensure comprehensive MFA was in place. Hackers using stolen credentials took advantage when it did not.

Other troubling questions, such as how many patients have had their health care data compromised, are alarmingly still unknown. UnitedHealth said last week "a substantial proportion" of Americans may have had their personal data compromised, the Star Tribune reported.

...continued

©2024 StarTribune. Visit at startribune.com. Distributed by Tribune Content Agency, LLC.